Hi @Auth0,
Scenario : Person Alice , logged-in to his laptop at example.com via Auth0 ( which provided the tokens : access_token_1 , id_token_1 , expires_in , … ) .
Again , Alice logged into another laptop at example.com via Auth0 which provided the tokens : access_token_2 , id_token_2 , expires_in , … ) .
Is there any feature/way in auth0 (dashboard) to make the first token illegal .
Sub-question(s) :
Will the access_token be valid for the next 1.5 hours ( even if the user has logged out ) .
One of our Senior engineers gave a great answer to this prior which I will quote below. Paired with our logout documented attached, it should give you what you need to concur this request in your app.
Please let us know if you have any additional questions I can assist with, Thanks!
Hi @James.Morrison ,
I understood what @jmangelo has to say for the access_token, and I like his approach to the problem.
One question : How can I revoke the access_token (before the expiry time) ?
Scenario :
During the logout procedure ( in JavaScript -api) , the custom-logout-method gets called ( which in-turn calls the auth0’s-logout-method ) , which then calls the "https://example.auth0.com/v2/logout " with “client_id” ,“returnTo” ,“auth0Client” . ( there’s no transfer of access_token or id_token " )
You can leverage this endpoint which will delete all associatedgrants and refresh tokens for a particular user ID: curl -X DELETE 'https://{{your-auth0-domain}}/api/v2/grants?user_id={{your-user-id}}
Please let me know if this helps you in your quest @adb or if you have any additional questions.
After talking with one of our senior engineers on this subject, I wanted to pass along the feedback I received. They recommend shortening the expiring time. To what extent, depends on your system architecture. Thanks!
This can be altered at the Token Expiration (Seconds) field for your API in the Dashboard APIs section. Below is an article that dives into this more in depth. Thanks!
Hi @James.Morrison ,
I was able to change the value of expiry of access_token …
First I mapped the rest-api I wanted to secure ( Eg : https://test.example.com/api/v1 ") , by creating a new API-app ( in dashboard-> API section ) .
Then , in token settings , I changed the ‘Token Expiration (Seconds)’ and ‘Token Expiration For Browser Flows (Seconds)’ .
Then I called /userinfo after the time has expired (with access_token in header ), it returned HTTP-401.